February 15, 2019
Balancing Employer Policies and Employee Rights: Remote Monitoring in the Workplace
by John Marshall, Marshall & Forman LLC & Maddie Rettig, 3L at Moritz College of Law
With advancements in technology, employees increasingly work non-traditional schedules, including from remote locations.1 Advancements in technology provide the means to remotely monitor employees in both the office and remote locations.2 However, employer remote monitoring policies raise questions surrounding compliance with existing state and federal laws.3
1. See generally, Bureau of Labor Statistics, U.S. DEPARTMENT OF LABOR, THE ECONOMICS DAILY, On days they worked, 22 percent of employed did some or all of their work at home in 2016, available at https://www.bls.gov/opub/ted/2017/on-days-they-worked-22-percent-of-employed-did-some-or-all-of-their-work-at-home-in-2016.htm (last accessed Jan. 28, 2019).
This article explores the legal landscape for employers who implement remote monitoring policies. Electronic workplace monitoring policies must comply with federal and state wiretapping laws, state statutory and common law surrounding privacy, employment discrimination laws, and the National Labor Relations Act (“NLRA”).4 Public employers must also comply with the Fourth Amendment.
Under the federal Wiretap Act, employers may not, absent consent, monitor employee telephone calls without a legitimate business purpose.5 Similarly, the Stored Communications Act (“SCA”) prohibits employers from “intentionally access[ing] without authorization a facility through which an electronic communication is provided” in order to obtain, alter, or prevent authorized access to a wire or electronic communication while it is in electronic storage.6 If an employer’s policies authorize review of communications stored on employer-provided communications services, the SCA permits such review.7 However, the SCA protects employees’ private, though not public, communications which are stored on non-employer-provided systems, such as personal secure websites, social media pages, and personal emails.8
In Ohio, no statute specifically protects employee privacy or regulates remote monitoring.9 Protections against surveillance are found in the Ohio Wiretap Law, which prohibits the intentional interception of a wire, oral, or electronic communication.10 Employees in Ohio have no expectation of privacy in employer-owned office spaces, computers, or desks that are accessible to other employees.11 However, Ohio recognizes four common law bases for invasion of privacy, including the wrongful intrusion into an employee’s private activities, which causes mental suffering, shame, or humiliation to a reasonable person and the publication of an employee’s private affairs.12 When monitoring employee communications, the more personal and private employees’ emails on a company-issued device, the less likely the employer’s monitoring will survive balancing in the totality of the circumstances.13
Electronic monitoring of employees must comply with anti-discrimination laws.14 Employers violate such laws when policies target, or disproportionally subject, protected classes to monitoring.15 Moreover, when electronic monitoring uncovers employee protected complaints and traits, employers may not retaliate against complaining employees nor discriminate based on that protected trait.16
Employers must comply with the NLRA in any workplace monitoring policies.17 The NLRA protects employees’ concerted activity from employer adverse action; prohibits employers from conducting surveillance over union organizing efforts; prevents employers from violating a Collective Bargaining Agreement; compels bargaining about monitoring policies when required; and protects employees’ Section 7 rights from employer policies which infringe upon those rights.18 Remote monitoring policies must account for these provisions.
Employers and employees alike should consider potential privacy implications.19 Employers should implement policies which communicate clearly the extent of employee monitoring practices.20 Employees should err on the side of caution when using employer-provided devices by not accessing information which they wish to keep private.
2. See, e.g., Susanna Lichter, Federal and State Wiretap Act Regulation of Keyloggers in the Workplace, HARVARD J. OF L. & TECH., available at https://jolt.law.harvard.edu/digest/federal-and-state-wiretap-act-regulation-of-keyloggers-in-the-workplace (last accessed Jan. 28, 2019) (discussing employer use of keyloggers, which are “easy to use and inexpensive hardware or software devices [which] record keystrokes and allow a monitor to access email, and other password-protected accounts”).
3. See id. (highlighting a “conflict of interpretations between jurisdictions leav[ing] people in many states vulnerable to invasive employer spying.”).
4. Electronic Workplace Monitoring and Surveillance, Practical Law Practice Note 1-506-8862.
5. 18 U.S.C. § 2511 (providing exceptions to the Act based on: quality control purposes, after giving employees advanced notice that calls will be monitored; enforcement of restrictions on personal use of employer telephones; or with employee consent). Cf. 18 U.S.C. § 1030 (prohibiting any unauthorized access to another’s computer).
6. 18 U.S.C. § 2701(a). It is also unlawful to “intentionally exceed an authorization to access that facility.” Id.
7. Id. at § 2701(c)(1).
9. Employee Privacy Laws: Ohio, Practical Law State Q&A 7-569-8165.
10. R.C. 2933.52(A). An interception is permissible if the person intercepting is a party to the communication or if one of the parties to the communication consented to the interception. Id. at 2933.52(B).
11. Mullins v. Ohio Bd. of Regents, 2010 WL 591044 (Ohio Ct. Cl. Jan. 22, 2010); Matikas v. Univ. of Dayton, 788 N.E.2d 1108, 1116 (Ohio Ct. App. 2003).
12. Welling v. Weinfeld, 866 N.E.2d 1051, 1053-1059 (Ohio 2007).
13. Lazette v. Kulmatycki, 949 F. Supp. 2d 748 (N.D. Ohio 2013). Cf. City of Ontario v. Quon, 560 U.S. 746 (2010) (holding a public employer’s searching of employee text messages on employer-provided pagers was reasonable).
14. See supra note 5. Cf. Marshall v. Mayor and Alderman of City of Savannah, Ga., 366 F. App’x 91, 99-100 (11th Cir. 2010) (dismissing a sex discrimination case where a female probationary firefighter, who was disciplined for posting risqué pictures to her Myspace page, claimed she was singled out and treated differently than male firefighters who engaged in the same or similar conduct).
15. See supra note 5.
18. 29 U.S.C. §§ 157-58.
19. See, e.g., Kaveh Waddell, Why Bosses Can Track Their Employees 24/7, THE ATLANTIC (Jan. 6, 2017), available at https://www.theatlantic.com/technology/archive/2017/01/employer-gps-tracking/512294/ (last accessed Jan. 28, 2019) (discussing how some jurisdictions allow employers to GPS monitor employee locations both on and off the clock); Crafting “Bring Your Own Device” (“BYOD”) Policies to Protect Your Company Data and Ensure Compliance with the Law, RYLEY CARLOCK & APPLEWHITE (Oct. 11, 2018), available at https://www.rcalaw.com/crafting-bring-your-own-device-byod-policies-to-protect-your-company-data-and-ensure-compliance-with-the-law (last accessed Jan. 28, 2019) (“Because the interrelationship between employee privacy and the law is still developing, there is a significant dearth of case law and even federal/state legislation covering the issues.”).
20. Remote Employees: Best Practices, Practical Law Practice Note w-001-3935 (“Best practices for workplace monitoring of remote employees and minimizing the risk of liability include: Implementing and distributing a clear electronic communications systems policy[;] Notifying remote employees that they have no expectation of privacy when using the employer’s email or computer systems and that their electronic communications using these systems may be monitored[;] Explaining the business purpose of the monitoring policy, such as: tracking employee efficiency and productivity; protecting against disclosure of trade secrets; and ensuring compliance with federal and state laws and company policies.”).